Personal data of Astro customers offered for sale online

Last year, when we first reported on the massive 46.2 million telco data breach, we cautioned that if strict measures are not put in place, there will always be opportunists trying to make a quick buck by selling off personal data to the highest bidder.

Earlier this year, our crawlers stumbled upon an offer for sale of personal customer data belonging to pay TV operator Astro. The database was specific to Astro IPTV customers, and the seller claimed that they have up to 50,000 customer details, which included the Customers Name, Installation Address, MyKAD number, Mobile Phone Number, Equipment and Portal ID numbers, as well as subscribed package information.

The price? RM3,000 for 10,000 records, that roughly translates to about RM0.30 per customer. The offer for sale also included a ‘sample’ of about 5,000 records, which were dumped online.

We promptly notified Astro about the data breach in January, and they assured us that they take the protection of their customers info seriously, and will be working with the relevant authorities to contain and protect the confidential information. They also assured us that this would not happen again.

Astro on their part managed to remove all the traces of the data from the links we disclosed to them. We were expecting Astro to file a report on the issue, and make the necessary disclosure to their customers on the data breach, but to date, to the best of our knowledge, they have not. As the breach had been contained, we did not see any reason to follow up on this issue.

That is until early last week, when our crawlers stumbled upon a similar offer for sale of Astro customer details, that was very similar to our discovery in January. What really caught our eye this time was this statement by the seller.

Sample data published here have been edited as someone had reported this leak previously and I have managed to push it off to someone else

That statement confirmed our suspicion that this offer for sale, was put up by the same individual that we alerted Astro to in January. This time however, aside from the cheeky comment, the price of the personal data has gone up to RM4,500, per 10,000 records. The total number of records offered for sale had also gone up from 50,000 to 60,000. That translates to RM27,000 for 60,000 records. Not a bad return for selling illegally obtained private and confidential data.

The bigger question here is whether this data breach involves only the 60,000 records put up for sale here, or could Astro’s entire customer records, which totals up to around 3.6 million be affected as well.

Similar to our previous data breach disclosures, we have already alerted the relevant authorities in advance of our findings before publishing this story.

We are once again calling out to all organizations who handle personal data to ensure that they exercise due care and diligence in ensuring the safety of the personal data that has been entrusted to them.